...
If sensitive data is not handled correctly in a program, an attacker can gain access to it.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MSC18-C | Medium | Probable | Medium | P8 | L2 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Automated Detection
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| HARDCODED.AUTH HARDCODED.KEY HARDCODED.SALT MISC.CRYPTO.NOPAD MISC.PWD.PLAIN | Hardcoded Authentication Hardcoded Crypto Key Hardcoded Crypto Salt Encryption without Padding Plaintext Storage of Password | ||||||
| Polyspace Bug Finder | R2016a | Sensitive heap memory not cleared before release Uncleared sensitive data in stack | Sensitive data not cleared or released by memory routine Variable in stack is not cleared and contains sensitive data Function is not reentrant or uses a risky encryption algorithm Encryption or decryption key is constant instead of randomized |
Related Guidelines
| CERT Oracle Secure Coding Standard for Java | MSC03-J. Never hard code sensitive information |
| MITRE CWE | CWE-259, Use of Hard-coded Password CWE-261, Weak Cryptography for Passwords CWE-311, Missing encryption of sensitive data CWE-319, Cleartext Transmission of Sensitive Information CWE-321, Use of Hard-coded Cryptographic Key CWE-326, Inadequate encryption strength CWE-798, Use of hard-coded credentials |
Bibliography
...
...